The JIRA password policy is disabled by default. This policy is only useful when JIRA users are able to change their own passwords. If JIRA is connected to an eternal user management system (LDAP, Active Directory, Crowd), this policy should not be used since passwords are maintained externally from JIRA.

Click Password Policy in the left panel. Select one of the following options:

Disabled – The equivalent of having no password policy (this is the default).

Basic – Requires passwords to be at least 8 characters long and use at least 2 character types. Rejects passwords that are very similar to the previous password or the user's public information.

Secure – Requires passwords to be at least 10 characters long and use at least 3 character types including at least 1 special character. Rejects passwords that are even slightly similar to the previous password or the user's public information.

Custom – Lets you use your own settings (see below for more information).

Click the Update button to finish.

Setting custom password policies

There are many optional fields that can be set when you choose a custom password policy.

Set 'Custom' password settings

Password Length – Set a minimum and maximum length for your passwords. The defaults are 8 and 255.

Character Variety – Use these fields to set requirements around types of characters – uppercase letters, lowercase letters, special characters, and so on.

Similarity Checks – See the section below for details on this feature.

Similarity checks for 'Custom' password settings

This is a system check to make sure that your users aren't creating a new password that is too similar to the current password, the user's name, or email address. It can be set to Ignored, Lenient, or Strict.

What's the difference between Lenient and Strict?

Lenient checks for obvious similarities, like reversing the username or moving the front letter to the end.

Strict checks for more subtle variations, like mixing up the letters or adding just one new character. It also performs a character frequency analysis.

Enabling CAPTCHA

If your JIRA application server is accessible from outside your organization's firewall, and you have enabled signup, then you may want to also enable CAPTCHA. CAPTCHA helps ensure that only real humans (and not automated spam systems) can sign themselves up to JIRA. When CAPTCHA is enabled, visitors will need to recognize a distorted picture of a word (see example below), and must type the word into a text field. This is easy for humans to do, but very difficult for computers. See 'Enabling public signup and CAPTCHA' for more information about enabling this option.

Password FAQ

Answer: Character variety refers to the different types of characters you can create on a keyboard: lowercase letters, uppercase letters, numbers, and special characters. Requiring different character types makes passwords harder to guess, but it might also make them harder to remember. Use your best judgment when setting these fields, keeping in mind your company's requirements as well as your user base.

Question: Does this policy affect existing passwords?

Answer: The policy is only enforced as passwords are changed; there is no way to detect whether or not existing passwords satisfy the policy or to force the users to update their passwords if the policy has been changed. As a workaround, you can use this Crowd REST resource to forcibly change the users' passwords to something they won't know, thereby requiring them to reset it to get back in, and the password reset enforces the policy rules.